Debian Security Advisory

DSA-541-1 icecast-server -- missing escape

Markus Wörle discovered a cross site scripting problem in
status-display (list.cgi) of the icecast internal webserver, an MPEG
layer III streaming server. The UserAgent variable is not properly
html_escaped so that an attacker could cause the client to execute
arbitrary Java script commands.

For the stable distribution (woody) this problem has been fixed in
version 1.3.11-4.2.

For the unstable distribution (sid) this problem has been fixed in
version 1.3.12-8.